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Where  are  we  today? 
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What  is  Vulnerability  Discovery? 


Vulnerability  discovery  is  a  process  used  to 
uncover  and  fix  types  of  software  defects  with 
security  impacts  when  present  in  information 
systems: 

Vulnerabilities 
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Problem  Statement  (1) 

Security  analysts  document: 

■  Preconditions  for  exploit 

■  Impacts  of  exploitation 

■  Remediation  for  system  administrators 


Gap;  Underlying  engineering  causes 
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Problem  Statement  (2) 


The  vulnerability  discovery  process  needs  to 
reach  a  point  where  it  can  be  systematically 
used  by  developers  and  testers  to  improve  the 
practice  of  security  engineering. 
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Problem  Statement  (3) 


Today  the  discovery  process  is  too  ad-hoc  for 
software  engineers,  who  need: 

■  Root  cause  analysis  (not  just  attack  vectors) 

■  Line  numbers  of  code,  function  points,  data  and 

execution  path  analysis . 

■  Tools,  and  the  knowledge  and  motivation  to  use 
them  in  their  process 
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Why  is  this  a  problem? 


Because  the  security  industry,  by  and  large,  is 
still  too  reactive 


And  the  later  a  vulnerability  is  found,  the  more 
costly  it  is  to  fix  .  .  . 
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Who  are  we? 


Vulnerability  Researchers 
CERT  Coordination  Center 
Software  Engineering  Institute 
Carnegie  Mellon  University 
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Our  Vision 


Enabling  informed  trust  and  confidence  in 
a  networked  world  means 

Zero 

vulnerabilities  in  software 
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Another  Perspective 


Finding  vulnerabilities  using  test  tools, 
techniques 

Translating  the  context  for  properly  fixing 

Provide  quality  assurance  as  early  in  the 
product  lifecycle,  ideally  without  exploits 
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Goals 


■  Perform  discovery  work  in  a  safe  environment 

■  Transform  analytical  understanding  into 
engineering  knowledge 

■  Reduce  the  amount  of  time  and  effort  (cost) 
required  to  find  and  fix  vulnerabilities 

WE  DO  THIS  TODAY  by  BUILDING 
DISCOVERY  TOOLS  for  ENGINEERS 
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Our  Agenda 


Translating  our  domain  expertise  into 
engineering  knowledge  and  tools  that  can 
eliminate  all  known  types  of  vulnerabilities  as 
early  in  the  product  lifecycle  as  possible 
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Case  Studies 


Motivation: 

To  gain  experience  with  knowledge,  process,  and 
tools  useful  as  discovery  agents 

To  understand  potential  engineering  principles  behind 
the  discovery  of  software  vulnerabilities 


Results: 

Targeted  discovery  work  in  selected  technologies 
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An  Easy  Target:  ActiveX 


1995  -  OLE  2  COM  ActiveX 

2000  -  CERT/CC  ActiveX  Security  Workshop 

2005  -  VU#680526  New  vector  for 
exploiting  COM  vulnerabilities  via  Internet 
Explorer  discovered 

2006  -  Dranzer,  the  COM  Object  Tester 
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Other  Applications 


Red  teaming  and  Penetration  Testing 

Targeted  Critical  Infrastructure  Protection 

Aid  intelligence,  law  enforcement,  and  military 
operations 

Vulnerability  Re-Discovery 

■  To  help  reverse  engineer  attack  tools 

■  To  independently  validate  analysis 

■  To  bridge  the  gap  between  discovers  and 
analysts 
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Summary  (1) 


■  Finding  more  effective  test  methods  to 
discover  vulnerabilities  is  hard  and  requires 
knowledge  about  vulnerabilities  and  the 
systems  they  are  a  part  of 

■  Developing  effective  test  tools  requires 
knowledge,  experimentation,  innovation  and 
time 


2006  Carnegie  Mellon  University 


Summary  (2) 


■  Translating  vulnerability  analytical  products 
into  engineering  knowledge  is  needed  to 
bridge  the  current  gap  between  the  security 
community  and  the  developer  community 
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Questions 


What  questions  do  you  folks  have? 
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Coda 


Vulnerability  discovery  is  both  a  journey  and  a 
destination: 

It  needs  a  stable  environment  to  thrive 

It  needs  to  become  much  more  disciplined  to 
create  engineering  knowledge 

It  needs  a  community  of  like-minded  folks  to 
grow  tools  and  techniques 
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For  More  Information 


Contact  CERT/CC  Vulnerability  Discovery  Project  by  email: 

Subject:  Vulnerability  Discovery  Project  Request 

To:  cert@cert.org 
Carbon  Copy:  ish@cert.org 

Visit  the  CERT®  web  site 

URL:  https://www.cert.org/ 

Contact  CERT  Coordination  Center 

Software  Engineering  Institute 
Carnegie  Mellon  University 
4500  Fifth  Avenue 
Pittsburgh  PA  15213-3890 
USA 

Hotline:  +1-412-268-7090 

CERT/CC  personnel  answer  24x7,  365.25  days  per  year 

Fax:  +1-412-268-6989 

mailto:cert@cert.org 
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